Anitvirus 2009 and Spyguard

**jholland1964** · 12-17-2008, 02:17 PM

Ok, a lot of the items found and not deleted are because a portion of the file or program had all ready been removed by the various cleaning programs used or are in the quarantine of those programs. So these too will have to be deleted.
Use this program first to do this:
Please download OTCleanIt.exe and save to your Desktop.

Connect to the Internet and double-click on the file to launch the program.
Click on the green CleanUp! button.
If you get a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the Internet, please allow the connection.
When it has finished, OTCleanIt will ask you to reboot so it can remove itself.

-- Note: Doing this will remove any specialized tools (including this one) downloaded and used.

Now after you run this I would like you to run the ESET Scanner once more and post the new log.
Judy

**JudyP** · 12-17-2008, 06:22 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3700 (20081217)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=667904dc1c7b17439b82e369ee33e05b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-17 11:05:34
# local_time=2008-12-17 06:05:34 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=392458
# found=3
# scan_time=3794
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1187\A0239373.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1187\A0239373.exe »NSIS »ýˆ€.dll Win32/Adware.SideSearch application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1187\A0239373.exe »NSIS »ClrSchUninstall_78_86.exe Win32/Adware.ClearSearch application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

**jholland1964** · 12-17-2008, 06:52 PM

Ok, these were all in your System Restore so you need to do the following:
Go HERE and follow the directions given for XP.
Then run one more HJT scan and post the log.
Judy

**JudyP** · 12-17-2008, 07:07 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:13 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\me\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v47...abblecubes.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} (ZenGems Control) - http://www.worldwinner.com/games/v54...ms/zengems.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://www.worldwinner.com/games/v41/mines/mines.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47...m/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46...amesLoader.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48...t/brickout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47...itairerush.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52...s/wwhearts.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56...rsolitaire.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49.../blockwerx.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41...l/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46...o/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41...an/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42...y/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50.../dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44...ol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v53...s/wwspades.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
O20 - AppInit_DLLs: xgyxed.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 10857 bytes

**jholland1964** · 12-17-2008, 11:34 PM

Sorry Judy, not clean yet.
do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run

You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

**JudyP** · 12-18-2008, 06:00 AM

ComboFix 08-12-17.01 - me 2008-12-18 5:40:34.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.373 [GMT -5:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dxkfdiwr.ini
c:\windows\system32\geBQhIAq.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\tuvtqroM.dll
c:\windows\system32\txwwaabd.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-17 11:36 . 2008-12-17 17:02 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-12 21:43 . 2008-12-12 21:43 <DIR> d-------- c:\documents and settings\me\Application Data\Malwarebytes
2008-12-12 20:01 . 2008-12-12 20:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-12 18:31 . 2008-12-17 07:04 <DIR> d-------- c:\program files\CodeStuff
2008-12-11 20:34 . 2008-12-11 20:34 <DIR> d-------- c:\windows\ERUNT
2008-12-11 20:34 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2008-12-10 18:41 . 2004-01-27 23:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-10 18:41 . 2004-01-27 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-10 18:40 . 2008-12-10 18:42 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 18:24 . 2008-12-10 18:24 0 --a------ c:\windows\SYSTEM32\REN56.tmp
2008-12-10 18:24 . 2008-12-10 18:24 0 --a------ c:\windows\SYSTEM32\REN55.tmp
2008-12-09 21:57 . 2008-12-09 21:57 <DIR> d-------- c:\program files\CCleaner
2008-12-09 20:36 . 2008-12-17 07:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-09 20:36 . 2008-12-09 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-09 20:36 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-09 20:36 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-08 20:00 . 2008-12-08 20:00 1 --a------ c:\windows\SYSTEM32\edl.dat
2008-12-08 17:56 . 2008-12-08 17:56 33,832 --a------ c:\windows\SYSTEM32\reuyttwg.exe
2008-12-08 17:16 . 2008-12-08 17:16 33,832 --a------ c:\windows\SYSTEM32\vfzsqhnh.exe
2008-12-08 14:47 . 2008-12-08 14:50 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 15:37 . 2008-12-06 15:37 356 --ah----- C:\aaw7boot.cmd
2008-12-06 12:37 . 2008-12-06 16:02 <DIR> d-------- c:\documents and settings\me\Application Data\Twain
2008-12-02 19:20 . 2008-12-02 19:20 <DIR> d-------- c:\windows\SYSTEM32\LogFiles
2008-11-18 23:37 . 2008-11-18 23:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-18 23:36 . 2008-11-18 23:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-15 19:31 --------- d-----w c:\documents and settings\me\Application Data\U3
2008-12-13 13:57 --------- d-----w c:\program files\RegScrubXP
2008-12-13 04:14 --------- d-----w c:\program files\EarthLink TotalAccess
2008-12-10 23:22 --------- d-----w c:\program files\Java
2008-12-10 02:47 --------- d-----w c:\program files\SpywareBlaster
2008-12-09 14:34 --------- d-----w c:\program files\XoftSpy
2008-12-09 03:00 --------- d-----w c:\program files\FileZilla
2008-12-09 02:55 --------- d-----w c:\program files\Enigma Software Group
2008-12-08 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 20:57 --------- d-----w c:\program files\Common
2008-11-19 04:37 --------- d-----w c:\program files\Lavasoft
2008-11-19 04:04 --------- d-----w c:\program files\TrojanHunter 4.0
2008-11-05 14:30 --------- d-----w c:\program files\Panda Security
2008-11-04 12:08 19,143 ----a-w c:\documents and settings\All Users\Application Data\ehaxare.dat
2008-11-04 12:08 10,567 ----a-w c:\program files\Common Files\dohul.db
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2006-05-26 19:58 16,781,440 ----a-w c:\program files\jre-1_5_0_06-windows-i586-p.exe
2006-06-09 12:02 88 --sh--r c:\windows\SYSTEM32\397AF2336E.sys
2004-12-28 01:36 56 --sh--r c:\windows\SYSTEM32\6E33F27A39.sys
2006-06-09 12:02 4,184 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2004-06-18 913408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent .exe" [2003-03-18 200704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpda te.exe" [2003-08-04 159744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 151597]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\me\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xgyxed.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"Sonic RecordNow!"=
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"AIM"=c:\progra~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"<NO NAME>"=
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"MCUpdateExe"=c:\progra~1\mcafee.com\agent\McUpdat e.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe
"Iomega Automatic Backup 1.0.1"=c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe
"MMTray"=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"mmtask"=c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-05-26 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2004-08-04 02:56]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (DJFQY641-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (DJFQY641-Owner).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-ghhgfhfhnoghhkkkkkkg).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-ghhgfhfhnoghhkkkkkkg).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-h).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-h).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-hjlhjhjhnoghghghg).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-hjlhjhjhnoghghghg).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-John).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-John).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-Jordan).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-Jordan).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-me).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-me).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-no).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-18 c:\windows\Tasks\McAfee.com Update Check (JUDY-no).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2005-03-27 c:\windows\Tasks\Scan for Viruses.job
- c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe []

2005-09-25 c:\windows\Tasks\WebReg psc 1400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-04 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 05:48:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\I omega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\windows\SYSTEM32\Tablet.exe
c:\windows\SYSTEM32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2008-12-18 5:53:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 10:52:32

Pre-Run: 15,911,882,752 bytes free
Post-Run: 15,909,453,824 bytes free

209 --- E O F --- 2008-11-19 08:05:01

**jholland1964** · 12-18-2008, 10:01 AM

Open notepad note, it must be notepad, and copy/paste the text in the quotebox below into it:

FILE::
c:\windows\SYSTEM32\REN56.tmp
c:\windows\SYSTEM32\REN55.tmp
c:\windows\SYSTEM32\reuyttwg.exe
c:\windows\SYSTEM32\vfzsqhnh.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xgyxed.dll

Save this as CFScript.txt to your desktop.

Close all open browsers.
Take this CFScript.txt and drag it onto Combofix. Combofix will run again, allow it to do so. Do not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When the program is finished it will produce another log. Save that for posting here. Run a new HJT scan and save the log.
Post back here with the combofix log and the new HJT log.
Judy

**JudyP** · 12-18-2008, 07:26 PM

ComboFix 08-12-17.01 - me 2008-12-18 19:18:33.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.448 [GMT -5:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\SYSTEM32\REN55.tmp
c:\windows\SYSTEM32\REN56.tmp
c:\windows\SYSTEM32\reuyttwg.exe
c:\windows\SYSTEM32\vfzsqhnh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\REN55.tmp
c:\windows\SYSTEM32\REN56.tmp
c:\windows\SYSTEM32\reuyttwg.exe
c:\windows\SYSTEM32\vfzsqhnh.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-17 11:36 . 2008-12-17 17:02 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-12 21:43 . 2008-12-12 21:43 <DIR> d-------- c:\documents and settings\me\Application Data\Malwarebytes
2008-12-12 20:01 . 2008-12-12 20:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-12 18:31 . 2008-12-17 07:04 <DIR> d-------- c:\program files\CodeStuff
2008-12-11 20:34 . 2008-12-11 20:34 <DIR> d-------- c:\windows\ERUNT
2008-12-11 20:34 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2008-12-10 18:41 . 2004-01-27 23:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-10 18:41 . 2004-01-27 23:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-10 18:40 . 2008-12-10 18:42 <DIR> d-------- c:\documents and settings\Administrator
2008-12-09 21:57 . 2008-12-09 21:57 <DIR> d-------- c:\program files\CCleaner
2008-12-09 20:36 . 2008-12-17 07:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-09 20:36 . 2008-12-09 20:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-09 20:36 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-09 20:36 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-08 20:00 . 2008-12-08 20:00 1 --a------ c:\windows\SYSTEM32\edl.dat
2008-12-08 14:47 . 2008-12-08 14:50 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 15:37 . 2008-12-06 15:37 356 --ah----- C:\aaw7boot.cmd
2008-12-06 12:37 . 2008-12-06 16:02 <DIR> d-------- c:\documents and settings\me\Application Data\Twain
2008-12-02 19:20 . 2008-12-02 19:20 <DIR> d-------- c:\windows\SYSTEM32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-15 19:31 --------- d-----w c:\documents and settings\me\Application Data\U3
2008-12-13 13:57 --------- d-----w c:\program files\RegScrubXP
2008-12-13 04:14 --------- d-----w c:\program files\EarthLink TotalAccess
2008-12-10 23:22 --------- d-----w c:\program files\Java
2008-12-10 02:47 --------- d-----w c:\program files\SpywareBlaster
2008-12-09 14:34 --------- d-----w c:\program files\XoftSpy
2008-12-09 03:00 --------- d-----w c:\program files\FileZilla
2008-12-09 02:55 --------- d-----w c:\program files\Enigma Software Group
2008-12-08 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 20:57 --------- d-----w c:\program files\Common
2008-11-19 04:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 04:37 --------- d-----w c:\program files\Lavasoft
2008-11-19 04:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-19 04:04 --------- d-----w c:\program files\TrojanHunter 4.0
2008-11-05 14:30 --------- d-----w c:\program files\Panda Security
2008-11-04 12:08 19,143 ----a-w c:\documents and settings\All Users\Application Data\ehaxare.dat
2008-11-04 12:08 10,567 ----a-w c:\program files\Common Files\dohul.db
2008-11-04 11:17 1,489,903 --sha-w c:\windows\SYSTEM32\afldcxdr.tmp
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2006-05-26 19:58 16,781,440 ----a-w c:\program files\jre-1_5_0_06-windows-i586-p.exe
2006-06-09 12:02 88 --sh--r c:\windows\SYSTEM32\397AF2336E.sys
2004-12-28 01:36 56 --sh--r c:\windows\SYSTEM32\6E33F27A39.sys
2006-06-09 12:02 4,184 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2004-06-18 913408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent .exe" [2003-03-18 200704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpda te.exe" [2003-08-04 159744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 151597]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\me\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"Sonic RecordNow!"=
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
"AIM"=c:\progra~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"<NO NAME>"=
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"MCUpdateExe"=c:\progra~1\mcafee.com\agent\McUpdat e.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe
"Iomega Automatic Backup 1.0.1"=c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe
"MMTray"=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
"mmtask"=c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-05-26 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\cleanmgr.exe [2004-08-04 02:56]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (DJFQY641-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (DJFQY641-Owner).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-ghhgfhfhnoghhkkkkkkg).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-ghhgfhfhnoghhkkkkkkg).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-h).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-h).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-hjlhjhjhnoghghghg).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-hjlhjhjhnoghghghg).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-John).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-John).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-Jordan).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-Jordan).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-me).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-me).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-no).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-04 19:25]

2008-12-19 c:\windows\Tasks\McAfee.com Update Check (JUDY-no).job
- c:\progra~1\mcafee.com\agent [2008-08-17 05:22]

2005-03-27 c:\windows\Tasks\Scan for Viruses.job
- c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe []

2005-09-25 c:\windows\Tasks\WebReg psc 1400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-04 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 19:21:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\I omega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2008-12-18 19:23:22
ComboFix-quarantined-files.txt 2008-12-19 00:22:05
ComboFix2.txt 2008-12-18 10:53:22

Pre-Run: 15,877,423,104 bytes free
Post-Run: 15,865,602,048 bytes free

216 --- E O F --- 2008-11-19 08:05:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:38 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\me\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v47...abblecubes.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} (ZenGems Control) - http://www.worldwinner.com/games/v54...ms/zengems.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://www.worldwinner.com/games/v41/mines/mines.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47...m/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46...amesLoader.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48...t/brickout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47...itairerush.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52...s/wwhearts.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56...rsolitaire.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49.../blockwerx.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41...l/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46...o/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41...an/hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42...y/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50.../dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44...ol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v53...s/wwspades.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 10805 bytes

**jholland1964** · 12-18-2008, 08:28 PM

Looks good Judy! How are things running?

**jholland1964** · 12-18-2008, 08:41 PM

If all is running well you should uninstall combofix this way:

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

Then rest System Restore so all restore points are clean.
Follow the directions given HERE

Judy.

Thread: Anitvirus 2009 and Spyguard

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions